US authorities identify and charge Russian mastermind behind LockBit ransomware group
The ransomware group was allegedly behind attacks worth over $500 million, typically paid in Bitcoin.
Share this article
The US Department of Justice (DOJ) has identified Russian national Dmitry Khoroshev as the mastermind behind the notorious LockBit ransomware gang and is offering a $10 million reward for information leading to his arrest.
In a 26-count criminal indictment unsealed Tuesday morning, prosecutors allege that Khoroshev, 31, developed, promoted, and oversaw the LockBit software, recruiting “affiliates” on cybercriminal forums who carried out the actual ransomware attacks. Affiliates would give Khoroshev a 20% cut of their earnings, typically paid in bitcoin (BTC), once a ransom was paid.
According to prosecutors, LockBit became one of the most prolific ransomware tools in the world between its inception in 2019 and the seizure of most of its infrastructure earlier this year. The gang’s network of affiliates attacked approximately 2,500 victims, 1,800 of which were in the US, and extorted an estimated $500 million in ransom payments.
The indictment states that Khoroshev received $100 million in bitcoin disbursements from LockBit’s activities over the course of its operation. US authorities are also seeking forfeiture of his ill-gotten gains.
In addition to the criminal charges, Khoroshev has been sanctioned by the US Treasury Department’s Office of Foreign Assets Control (OFAC), prohibiting all US persons, including future victims of a LockBit ransomware attack, from transacting with him.
One Bitcoin address associated with Khoroshev was added to the department’s “Specially Designated Nationals” list. Notably, search results indicate that this address only had two transactions, with the last transaction dated 2021.
However, law enforcement actions against LockBit are far from over. In February 2024, the National Crime Agency (NCA) and multinational law enforcement agencies, supported by private sector intelligence, carried out “Operation Cronos,” which dealt a significant blow to LockBit’s operations.
The operation resulted in the seizure of LockBit’s dark web sites, hacking infrastructure, source code, and cryptocurrency accounts, as well as the recovery of over 1,000 decryptor keys to help victims recover encrypted data. Two individuals were arrested, and sanctions were levied on Russian LockBit affiliates.
According to Chainalysis, they have identified hundreds of active wallets and 2,200 Bitcoin — worth nearly $110 million — in unspent LockBit ransomware proceeds that are yet to be laundered and transferred.
Despite the charges and sanctions, Khoroshev remains at large and, according to a March interview with The Record, continues to operate LockBit. Five other LockBit members have been charged with crimes for participating in the criminal operation, with at least one, dual Russian-Canadian national Mikhail Vasiliev, sentenced to prison.
Khoroshev faces a total of 26 charges, including conspiracy to commit fraud, extortion, wire fraud, intentional damage to protected computers, and extortion in relation to information unlawfully obtained from protected computers. If convicted, he could face a maximum of 185 years in prison.
Share this article